Hi all, I'm sort of new to GPG/PGP, I'm not new to the encryption/crypto world and to computers, however, some concepts are yet not clear to me.
I can't get my head around on how to use GPG in the "correct" way to guarantee the maximum result. That is: protect, at the best, my privacy and also don't get the system too complicated. The problems that I've are multiple, I'll try to summarize them here asking for help. I've read the manual, but it's a bit outdated, and online I found scattered information that does not always explain why some decision are made. My ideal setup is: - Master generated on offline pc and stored in a cold storage - subkeys for the pc (main pc, that I use everyday) - i need (A)utenticate (E)encrypt (S)ign keys - subkeys for the smartcard - if I use a pc of someone else, and as backup for what is worth. (In the future I may switch to just the smartcard, removing the keys from pc, but I would like to have the keys on the pc for time being) - I would like to avoid moving the master ouside the offline pc/cold storage Create the master: I should create the master on a device that is not my primary one and that is not online. It seems kind of freak approach to me, but I can understand why. Once created, I backup it to a file which I store on a usb key or somewhere outside of computers. With the master I can create, later, subkeys for what I need and the revoke certificate in case of compromised subkeys. Other than the master key, do I've to export anything else (not talking of subkeys yet, that's next topic)? When creating the master, I've two possibility: (i) use the dafault setting that results in a (SC) key or (ii) set it as only (C). The best solution seems to be the second, right? ( http://security.stackexchange.com/questions/32386/why-do-pgp-master-keys-only-have-a-single-subkey-and-tie-certification-with-sig). Is it worth to use that approach or, as of today, the (i) is fine? I still don't get the full benefit of one or the other solution Create the subkey With the master key I can create subkeys. I should do it from the offline pc in which I created the key, or import the master in a pc and then create the subkeys (it doesn't sound so safe though). Now: - should each subkey be for only one scope (A) (S) (E) or is it fine if one key does two or three scopes (ASE) or (SE)? - once subkeys are creted I've to export them and also their revoke certifications (do they have one)? correct? - I've a smartcard, but I've also a pc, should I create 6 subkeys, 2 for A, 2 for S and 2 for E and move the 3 A S E to the yubikey and the other 3 to the pc?. - moving the keys on the smartcard is done via "keytocard" but to move the keys on the pc I've to export subkeys, will this export also the keys on the smartcard and then I'll need the smartcard to access some of those? how can I decide what to import where? - Do I've to rexport my public key or anything else to let the world know my subkeys? - Do I've to export anything else to achieve my scenario's goal? Am I missing anything? Or is there anything that can guide me to achieving my goals? PS: Sorry for the long questions, but I can't find online something that explains my scenario. Solutions are for base cases or for smart-card only. Well, probably there's a guide, but I can't find it out. -- Stefano
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users